There once was a time when organizations
wouldn’t consider deploying critical applications in the cloud. It was too much
of a business risk from both an access and an attack perspective—and for good
reason, since 28
percent of enterprises have experienced more security breaches in the public
cloud than with on-premises applications. This is changing, however. Over
the last few years, cloud computing has emerged as a serious option for
delivering enterprise applications quickly, efficiently, and securely. Today
almost 70 percent of organizations are using some cloud technology. And that
approach continues to grow. According to the latest Cisco
Global Cloud Index report, global data center IP traffic will nearly triple
over the next five years. Overall, data center IP traffic will grow at a
compound annual growth rate of 25 percent from 2012 to 2017.

This growth is to support our on-demand, always connected lifestyle, where
content and information must be accessible/available anytime, anywhere, and on
any screen. Mobility is the new normal, and the cloud is the platform to deliver
this content. No wonder enterprises are scrambling to add cloud components to
their existing infrastructure to provide agility, flexibility, and secure access
to support the overall business strategy. Applications that used to take months
to launch now take minutes, and organizations can take advantage of innovations
quickly. But most IT organizations want the cloud benefits without the risks.
They want the economics and speed of the cloud without worrying about the
security and integration challenges.

Use of the corporate network itself has become insecure, even with firewalls
in place. Gone are the days of “trusted” and “untrusted,” as the internal
network is now dangerous. It'll only get worse once all those IoT wearables hit
the office. Even connecting to the corporate network via VPN can be risky due to
the network challenges. Today, almost anything can pose a potential security
risk, and unauthorized access is a top data security concern.

Going against the current trend, some organizations are now placing critical
applications in the cloud and facing the challenge of providing secure user
access. This authentication is typically handled by the application itself, so
user credentials are often stored and managed in the cloud by the provider.
Organizations, however, need to keep close control over user credentials, and
for global organizations, the number of identity systems can be in the
thousands, scattered across geographies, markets, brands, or acquisitions. It
becomes a significant challenge for IT to properly authenticate the person
(whether located inside or outside the corporate network) to a highly available
identity provider (such as Active Directory) and then direct them to the proper
resources. The goal is to allow access to corporate data from anywhere with the
right device and credentials. Speed and productivity are key.

Authentication, authorization, and encryption help provide the fine-grained
access, regardless of the user’s location and network. Employee access is
treated the same whether the user is at a corporate office, at home, or
connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates
the traditional VPN connection to the corporate network and also encrypts all
connections to corporate information, even from the internal network.

In this scenario, an organization can deploy the BIG-IP platform, especially virtual
editions, in both the primary and cloud data centers. BIG-IP intelligently
manages all traffic across the servers. One pair of BIG-IP devices sits in front
of the servers in the core network; another pair sits in front of the directory
servers in the perimeter network. By managing traffic to and from both the
primary and directory servers, the F5 devices ensure the availability and
security of cloud resources—for both internal and external (federated)
employees. In addition, directory services can stay put as the BIG-IP will
simply query those to determine appropriate access.

While there are some
skeptics, organizations like GE
and Google
are already transitioning their corporate applications to cloud deployments and
more are following. As Jamie
Miller, President & CEO at GE Transportation, says, 'Start Small,
Start Now.'

Michael Koyfman, Sr. Global Security Solution Architect, shares the access
challenges organizations face when deploying SaaS cloud applications. Syncing
data stores to the cloud can be risky so organizations need to utilize their
local directories and assert the user identity to the cloud. SAML is a
standardized way of asserting trust and Michael explains how BIG-IP
can act either as an identity provider or a service provider so users can
securely access their workplace tools. Integration is key to solve common
problems for successful and secure deployments.

With all your other iOS 7 updates (if you've made the plunge), if you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update. If not, I just wanted to let you know that version 1.0.6 of the iOS Edge Client is available at the AppStore with iOS 7 support.

Customers who use UDID in their access policies should have users update to this version.

It’s an all Nojan week at the Pulse2013 conference at the MGM Grand! This time, he shows Peter Silva how to deploy Maximo Asset Management with the new Maximo iApp from F5 found on DevCentral along with how to configure acceleration and SSO for Maximo users. Increased performance for remote users along with the ease of deployment for administrators. Got Maximo? Get BIG-IP APM.

I get an Inside Look at BIG-IP's new #SAML #Federation functionality in v11.3 with Sr Security Solution Architect, Gary Zaleski. We cover BIG-IP as a SAML Service Provider (SP) and as a SAML Identity Provider (IdP). Watch how users can easily connect to Salesforce, SharePoint, Office365 and Google. Solving Substantiation with SAML.

Organizations are deploying distributed, hybrid architectures that can span multiple security domains. At any moment, a user could be accessing the corporate data center, the organization’s cloud infrastructure, or even a third party, #SaaS web application. #SAML can provide the identity information necessary to implement an enterprise-wide single sign-on solution.

Proving or asserting one’s identity in the physical world is often as simple as showing a driver’s license or state ID card. As long as the photo matches the face, that’s typically all that is needed to verify identity. This substantiation of identity is a physical form of authentication, and depending on the situation, the individual is then authorized either to receive something or to do something, for instance, enter a bar, complete a purchase, etc.

In the digital world, identity verification is not as easy as showing the computer monitor a driver’s license. To gain entry, you must provide information like a name, password, randomly generated token number—something you have, something you know, or something you are—to prove you are who you say you are.

Gaining access to corporate assets is no different. Many organizations have multiple different resource portals, however, each requiring digital proof of identity. Their users may also need to access partner portals, cloud based Software as a Service (SaaS) applications, or distributed, hybrid infrastructures that span multiple data centers, each requiring a unique user name and password. In addition, the average employee must maintain about 15 different passwords for both her private and corporate identities, with many of those passwords also being used for social media and other risky entities. Statistics show that 35 to 50 percent of help desk calls are related to password problems, with each call costing a company between $25 and $50 per request.

Security Assertion Markup Language (SAML) is an XML-based standard that allows secure web domains to exchange user authentication and authorization data. It directly addresses the problem of how to provide the users of web browsers with single sign-on (SSO) convenience. With SAML, an online service provider can contact a separate online identity provider to authenticate users who are attempting to access secure content. For example, a user might need to log in to Salesforce.com, but Salesforce (the service provider) has no mechanism to validate the user. Salesforce would then send a request to an identity provider, such as F5 BIG-IP Access Policy Manager (APM), to validate the requesting user’s identity. BIG-IP APM version 11.3 supports SAML federation, acting as either a service provider or an identity provider, enhancing the employee’s online experience and potentially reducing password-related tickets at the help desk.

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

BIG-IP APM as a Service Provider

When a user initiates a request from a SAML IdP and the resources, such as an internal SharePoint site, are protected by BIG-IP APM, BIG-IP APM consumes that SAML assertion (claim) and validates its trustworthiness. This ultimately allows the user access to the resource. If the user goes directly to BIG-IP APM (as an SP) to access a resource (like SharePoint), then the user will be directed to the IdP to authenticate and get an assertion. Once a user is authenticated with a SAML IdP and accesses a resource behind BIG-IP APM, he or she will not need to authenticate again.

BIG-IP APM as an Identity Provider

Provided there is an SP that accepts assertions, a user can authenticate with BIG-IP APM to create an assertion. BIG-IP APM authenticates the user and displays resources. When the user clicks on an application, BIG-IP APM generates an assertion. That assertion can be passed on to the SP, which allows access to the resource without further authentication. When the user visits the SP first, the process is SP initiated; when the user goes directly to the IdP (in this case, BIG-IP APM) first to authenticate, the process is IdP initiated.

BIG-IP APM in a SAML Federation

SAML can be used to federate autonomous BIG-IP APM systems. This allows a user to connect to one BIG-IP device, authenticate, and transparently move to other participating BIG-IPs devices. Session replication is not part of SAML, but administrators can populate session information on participating systems. This means that BIG-IP device federation does not enable the use of a single session within the federation; it only enables information exchange among multiple members of the federation. Each participating BIG-IP device maintains its own independent session with the client, and each has its own access policy that executes separately and independently.

Participating federation members can exchange information with any other federation members outside of sessions where needed. A common configuration is to have a dedicated BIG-IP device as a primary member to which users are authenticated and that provides information to other members. This allows a number of other BIG-IP devices to work in conjunction with that primary member. The primary member is dedicated as an IdP, while the other participating members operate as SPs

Benefits

The benefits of deploying BIG-IP APM as a SAML solution certainly include better password management, fewer help desk calls, and an improved user experience, but BIG-IP APM can also add additional context to requests. For instance, it can include endpoint inspection results as attributes to inform the application of the client’s security posture. In addition, IT administrators do not need to retrofit applications (e.g., .NET apps do not need a Kerberos claims plug-in). Another advantage is extensive session variable support, which allows organizations to

customize each user session. BIG-IP APM can bring SAML to resources and applications with minimal back-end changes—or none. These benefits all complement the values of BIG-IP APM to the overall traffic management of an organization’s IT infrastructure.

IT infrastructure has changed dramatically over the past few years, with many applications moving to cloud-based services. Corporate employees have also morphed into a mobile workforce that requires secure access to that infrastructure any time, from anywhere, and with any device. Bridging the identity gap between physically and logically separated services allows organizations to stay agile in this ever-changing environment and gives users the secure access they need around the clock.

BIG-IP APM version 11.3, in addition to delivering high availability and protecting organizations’ critical assets, provides a SAML 2.0 solution that offers the identity bridge needed to manage access across systems.

I catch up with Brian Pfeffer, Director of Business Development for PhoneFactor. PhoneFactor's phone-based two-factor authentication solutions integrate with BIG-IP APM and BIG-IP Edge Gateway and Brian shows how it works along with some of the new PhoneFactor mobile apps.